Bitdefender downloader.exe


Hello


i noticed there`s an exe file in bitdefender total security 2017 folder which makes connection to this ip:93.184.221.133 on port 80


it looks bitdefender update downloader but :


https://otx.alienvault.com/indicator/ip/93.184.221.133/


https://www.virustotal.com/en/ip-address/93.184.221.133/information/


https://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=93.84.221.133&amp%3Bregion=us


can any users/mods confirm this is a legit file and ip for downloading updates?


just wanna make sure you know ...


MD5:


0EA1F32ACAD1AF4E1CD2076DEC7A859A


SHA-1:


1917FC73F4153346B593355FBE4B93255CFB9969


Bitdefender Total Security 2017


Build:21.0.23.1101


Virus signature :8419313


Engine version:7.69760


Win 8.1 Pro


 


thank you

downloader.exe

Comments

  • spikeles
    edited February 2017


    Quote




    Look at the first and last seen dates. 2011, or 6 years ago. I wouldn't base any decisions or worries based on a 6 year old security report.


     



    Quote




    Doesn't look particularly suspicious. The "Latest detected files that communicate with this IP address" section only looks scary because the majority of those are fake programs pretending to be real programs. If you click on one of the the hashes and then goto the "behavourial analysis" tab you'll see why it accessed that IP. For example a few show as " update.iobit.com (93.184.221.133) " which is a well regarded system tool.


    The "Latest detected URLs" only show mostly 1 detected out of X scanners. That isn't enough to tell if something is infected, you normally want at least 25% or more to detect to convince me something is malicious, also the last detected URL was February last year, nothing in recent times.


    Another appears to be " cdn3.cpmstar.com (93.184.221.133) " which is an advertising network. Advertising networks often have malicious code/data injected into them by malware and is one of the reasons adblock is recommended.


    Based on the various URLs and other details I would guess the IP is some sort of CDN (Content Delivery Network) used by multiple systems, one that hosts many files so trojans and malware use it to download legitimate files to try to pretend to be not-fake.


    To back this up, whois shows the IP is owned by Edgecast, a Content Delivery Network.



    Quote



    % Abuse contact for '93.184.220.0 - 93.184.223.255' is 'abuse@edgecast.com'


    netname:        EDGECAST-NETBLK-03

    descr:          NETBLK-03-EU-93-184-220-0-22


     



     



    Quote




    Can't see anything on there that would indicate anything to worry other than a red box in "email" column?


    --


    And finally:


    Here is the report for your file you uploaded to virustotal. Looks clean.


    Your file also passes the certificate check (right click on the .exe in Windows explorer, choose "Properties" then "Digital Signatures") and has valid digital signatures.



    Quote



            Verified:       Signed

            Signing date:   7:43 PM 28/09/2016

            Publisher:      Bitdefender SRL

            Company:        Bitdefender

            Description:    BitDefender Update Downloader

            Product:        Bitdefender Security

            Prod version:   3.0.3.926 167166

            File version:   3.0.3.926 167166

            MachineType:    64-bit



    You can also use SigCheck to do it too, so you can be sure the file hasn't been mofidied/infected (unless you have a rootkit intercepting those checks).


     


    --


    Based on this, I think the file is safe.